Recently, I was listening to a podcast in which analysts were debating about public and private clouds. During the course of the discussions, one of the participants, a SaaS vendor, made a comment that disturbed me a bit. I think it is important that I address this issue here at Cloud Ave. It is my humble opinion that we need to get this right for the very success of SaaS and other cloud computing technologies in the future. I will start with a brief background on the public – private debate and then discuss the topic of this post.

Vendors like Amazon and Google brought the idea of cloud computing to be part of the vocabulary of the general public with their novel highly elastic, metered, “electricity” like offerings. These outsourced services were publicly available for consumption by users through the internet. The very nature of these cloud offerings got them the name “public clouds” and they were hugely successful with consumers, small businesses and startups.

However, enterprises were reluctant to embrace this idea due to their skepticism about giving up control over their IT to third party vendors. But, the economics of cloud computing was way too attractive to get completely ignored by them, especially during this tough economic crisis. Half heartedly, some of these enterprise users were testing the cloud computing waters by sending out testing, QA, training kind of workloads to the clouds. Sensing possible trouble for their existing business in the future and, also, an opportunity to sell cloud like features to the enterprises, old guns from the traditional IT world jumped in to offer what are known as private clouds.

These giants started pushing the idea of private clouds to the enterprises by dangling some of the cloud advantages like scalability, cost savings, automation, etc.. But the public cloud evangelists pushed back on this by claiming that private cloud is not a cloud but a marketing campaign unleashed by these old guards, trying to sell cloud washed offerings. Even though there are some companies resorting to cloud washing, I wouldn’t completely dismiss the idea of private clouds. I see these private clouds as the first step to a large scale cloud adoption in the future. Whether we like it or not, public clouds are still at its infancy and it is unreasonable to expect the enterprises, some of them with crucial regulated data, to jump in. We still need to go further ahead in terms of security and we still need to reshape the idea of privacy at all levels, from consumers to governments. In the mean time, I have no problem in having an intermediate approach where enterprises can avail some of the benefits of the cloud while the experts shape up the technologies needed for security, better optimization, etc..

In short, I see private clouds as

Private Clouds = Public Clouds – Outsourcing Component

Well, it is a very simplistic idea as it doesn’t account for some of the advantages of high scale that are only available with the public clouds but it does serve a purpose to explain how the idea of private clouds can help enterprise customers. In my opinion, the religious war between public and private cloud evangelists is unnecessary and we are better off channeling our energies elsewhere. Pre-guessing the customers and telling them not to use private clouds because they are not considered clouds is not a market based approach. I am pretty sure that the very economics of public cloud will, eventually, pull these customers in once we have the issues surrounding security and privacy sorted out.

Having explained the public-private cloud debate, I want to go back to the panelist’s opinion in the podcast. According to him, thinking about security is so old school and SaaS vendors should rather focus on functionality. I completely disagree with this take and I will explain my reasoning below.

I do agree that the idea of cloud computing, in general, and SaaS, in particular, is based on the concept of abstracting away the intricate details about infrastructure, security, application management, etc.. Technically, this should lead to users not worrying about anything other than their core business. Even though the motive behind this type of computing is noble, the reality is different. Let us consider some of the relevant issues here.

Cloud Computing calls for the users to inherently trust their service providers. In real life, we do trust many third party providers and, even, government. So there shouldn’t be any problem in trusting these cloud vendors right? Yes. However, the trust should come based on the understanding of the exact nature of their offerings and not just based on their marketing. As an end user, I should be completely convinced that the technology has everything it takes to keep my data safe. Consumer or small business can definitely trust the cloud providers and their technology because it is definitely superior than what these consumers and small businesses currently have on their premise. But for big enterprises, especially the regulated ones, this is not such a black and white issue. Plus, we are yet to completely solve all the issues surrounding security and privacy. They cannot blindly jump in based on the marketing campaigns alone.

Not all cloud providers are the same when it comes to security. The cloud economics has unleashed a significant change in the way business is done in this space. With the availability of computing and storage for pennies, anyone with a good developer background could offer a SaaS application in a short period of time. This takes away any need for system admins from the picture. The absence of a system admin in any team has the potential to let the developers go easy on security. The recent Twitter hack issue is a result of one such approach. In other words, the developers give less importance to security and focus more on functionality as there is no one to slow them down with dire warnings about security. There is no guarantee that the service offered by such teams are really secure on all layers of the stack, from infrastructure to applications. Plus, there is more to security of the VMs than what the providers like Amazon, Rackspace and GoGrid offer out of the box. There is a good chance these SaaS vendors didn’t go all the way to secure the VMs. The net result could be disastrous for the users of these apps.

With the widespread usage of social media in today’s businesses, there is an increasing need to educate employees about the use of social networking tools and the risks associated with social engineering. Anyone who has done some training on Security 101 will understand that the weakest link to any organization’s security is the careless employee who could be manipulated with Social Engineering techniques. The recent story about the attack on Google from China confirms that even bigger vendors are falling to such social engineering traps.

So, any talk about “thinking about security is old school” is a bit pre-mature. With Web 2.0 and SaaS, we are mostly seeing adoption by geeks and pundits. There is no widespread adoption from mainstream consumers yet and only a small segment of businesses are using them. With more and more adoption of these technologies, such attacks are only going to increase. If these providers don’t have the security (infrastructure, application, people, etc) correct, we are going to see large scale attacks and chaos. If the SaaS community wants to avoid such a messy scenario, it is important to talk more about the security so that the community as a whole can take steps to instill trust among the customers. Dismissing security as old school is not the right path to success. Even though functionality is important, security is also equally important. Cloud Vendors should be pro-active on security and consumers should use due diligence in selecting the right provider.

Share:

Director, OpenShift Strategy at Red Hat. Founder of Rishidot Research, a research community focused on services world. His focus is on Platform Services, Infrastructure and the role of Open Source in the services era. Krish has been writing @ CloudAve from its inception and had also been part of GigaOm Pro Analyst Group. The opinions expressed here are his own and are neither representative of his employer, Red Hat, nor CloudAve, nor its sponsors.

One response to “Thinking About Security Is Old School? – A Dangerous Trend”

I disagree with the notion that private clouds are somehow just a step. One size of public clouds doesn’t fit all. Some people are a lot more sensitive to security implications than others so saying that that is a marketing tactic is misconceived. Therefore I think private clouds are here to stay.